[Pkg-salt-team] Bug#983632: Backport to buster

Damien Norris damien at cantrusthosting.coop
Fri Apr 9 20:58:52 BST 2021


Hello pkg-salt-team list members,

On 2021-03-09, Elimar Riesebieter wrote:
 >is there any chance to get an appropriate backport for buster?
 >According to [1] buster is vulnerable.
[1] https://security-tracker.debian.org/tracker/source-package/salt

I have been working on a backport of the 2018.3.5 version of these 
patches, as released alongside the 3002 and 2016 versions by upstream on 
Feb 25th: "Active SaltStack CVE Release"[2].
The following kludges were needed for my buster build:
[2] 
https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/

I had several problems with the 2018.3.5 patches as they contain a 
syntax error as well as break numerous tests with their code 
refactoring.  This prevents the Debian package build from completing 
without some kludges to get past the test phase.

But.. I do now have the package building successfully now and it's 
installed in some places and passed some initial testing in my buster 
infrastructure!  :-)

I also have some Debian 9 machines as well to figure out, and three is a 
2016.11 series of patches provided, so I'm also planning to attempt a 
similar backport for stretch next, i should have some results on that 
this weekend.

Here is more detail on the kludges required, in case anyone else is also 
working on this:

- add the two sets of 2018.3.5 patches to the debian/patches

- Fix the typo on line 2451 of the first of the patches [3] .  The 
statement "from" is mis-spelled "rom" which causes Syntax errors during 
tests.

[3] 
https://gitlab.com/saltstack/open/salt-patches/-/blob/master/patches/2021/01/28/2018.3.5.patch#L2451

- Force Skip most of the VMWare cloud tests 
(tests/unit/utils/test_vmware.py), especially the SSL verification 
tests, as they fail due to the fixes for CVE-2020-28972 and/or 
CVE-2020-35662.  Some of these tests could be salvaged as it's just the 
SSL verification ones and then one or two others that fail.

- Force Skip the Portage Config tests 
(tests/unit/modules/test_portage_config.py) which fail for some 
currently unknown reason I'll investigate more.

- The SSHPasswordTest hangs during the build process, because of the fix 
to CVE-2101-3148.  That fix causes subcommands to be run as a command 
array rather than as a constructed string.  Unfortunately  this creates 
some kind of bug in the constructed sting to be evaluated (its purpose 
is to determine python version numbers available).  Instead, the whole 
thing just hangs until you press Ctrl-D to continue the tests/build. 
This will happen shortly after output:
[tests.support.unit 
:404 ] >>>>> START >>>>> 
unit.client.test_ssh.SSHPasswordTests.test_password_failure
and after the final line:
[salt.fileserver 
:499 ][DEBUG   ] Updating roots fileserver cache
is where you must press Ctrl-D to continue the process.


Other than those kludges the patches apply well and everything builds 
cleanly.  So far it seems to work but I am unable to test some of the 
features that have been fixed, like the cloud facing VMware ones (and I 
had to disable those tests).


I am not sure if anyone else has made progress with this ? I know that 
donfede had some builds working as well.  I am new to the package 
maintainer stuff but am definitely willing to help get this all the way 
done, but i will need some help as I'm a packaging noob.

I'm not really sure what to do next beyond get it so it builds without 
the ^D step and to try and get as many tests working as I can.

I am curious as to what is the policy where a security patch from 
upstream did not include the necessary fixes for tests and breaks them? 
   Those VMWare tests might need expert help to make work again, 
upstream is not committing their CVE patches to their git branches and 
the code changed drastically between major versions.. so little to go on 
as to how to fix them.

Anyway, I will report back here once I have one that fully builds 
without the ^D step, at that point it may be ready for further testing. 
  I'll also report back on my attempt to get these fixes to stretch.

D.



More information about the pkg-salt-team mailing list